Modern field guide to security and privacy

How to avoid becoming the next victim of ransomware

The rapid rise in computer attacks that encrypt files until victims pay off cybercriminals can be avoided if organizations take necessary precautions.

Molly Riley/AP
Hackers crippled the computer systems at a major hospital chain, MedStar Health Inc., in March, forcing records systems offline for thousands of patients and doctors. The FBI said it was investigating whether the unknown hackers demanded a ransom to restore systems.

Recently, I traveled to South Carolina to deliver a presentation on advanced threats and mitigation strategies and it wasn't long before the question-and-answer session turned to a discussion on ransomware.

One attendee wanted to know: Should businesses ever pay to recover encrypted files? 

I stressed that victims should never pay ransoms because it only exacerbates an already out-of-control problem and there are never guarantees that files will be recovered after paying money to criminals.

After the session ended, an IT administrator for a local healthcare outfit approached me and pointedly told me his company was in the midst of paying the ransom after a pretty nasty infection and he wanted me to know that my "never pay" advice was impractical.

"It's really bad. We have no computers to use. All our backups are encrypted. It's a case of desperation. We either pay $800 or we spend thousands to rebuild systems and try to recover data. In practice, we have no choice but to pay the ransom," he explained. "Dude, it is real desperation. We simply can’t do business unless we pay."

It was a sobering moment that has stayed with me as I read multiple reports of US hospitals struggling to cope with malware attacks that encrypt files and other sensitive data. For hospitals, where being online and operational can be a life-or-death issue, the sense of desperation is entirely understandable.

Ransomware infections are growing at an alarming rate and experts say there's a new phase of this threat coming that will be even more devastating for large and small businesses alike.

Over the last two years, the FBI processed about 4,200 ransomware complaints and estimated victims lost more than $47 million. That's just the ones that filed a complaint. In reality, the majority of ransomware infections go unreported, meaning that this could already be a billion dollar cybercrime business.

"Right now, ransomware is absolutely an epidemic. Organizations, for a variety of reasons, are not in a good position to be able to defend against it," says Jason Lidow, president at The DigiTrust Group, a global managed services consultancy.

Hospitals are an obvious target because of the desperation factor and a general lax approach to computer security.

"Hospitals are dealing with legacy software and hardware mixtures in their environments. It’s difficult, if not impossible to keep healthcare legacy software up to date. Hospitals have specific application packages that are expensive or too complicated to replace. Some of them are operating on Windows XP without patches," Mr. Lidow explained.

Costin Raiu, director of the research team at Kaspersky Lab (where I work), agrees. "It’s so much easier to infect a network full of unpatched software. Hospitals are among the least protected. They're running old, old versions of Windows. They have X-ray machines and other medical devices running on old servers with no usernames and default passwords," Mr. Raiu said, noting that hospitals are scrambling to pay the ransoms because retaining and securing patient data is such a crucial part of their operations.  

For Santiago Pontiroli, a Kaspersky Lab malware researcher who specializes in tracking ransomware variants, basic computer security hygiene is also a big part of the problem. "Businesses will say they have backups but they will leave those backups connected to the shared drives and then the backups get encrypted."

"If you as the user can access the file and you have write access to that file, so can the ransomware. It doesn’t matter if the file is on Dropbox, shared drives, local drives or USB sticks, the ransomware will get to it," Mr. Pontiroli explained.

As a rule of thumb, he suggests that backups should be done on offline drives that should be unplugged and stored away immediately. "Even your cloud stored files are at risk. If your service doesn’t support file versioning, the ransomware can overwrite your files with an encrypted version and it’s game over."

As consumers and businesses struggle to come to grips with the ransomware epidemic, there's an inevitability brewing that will leave everyone feeling the burn.

Experts are predicting that ransomware miscreants will merge with out-of-work APT (advanced persistent threat) operators to cause major damage to global companies, even those with dedicated security teams.

Imagine a world where a ransomware group has access to elevate permissions and go after organizations' best backup plans. It is logical that the booming success of the ransomware business will attract the more organized groups who are already skilled at targeted distributions.

To combat this next phase, businesses and consumers need to have a multilayered approach to staying safe. The use of modern antimalware technology with proactive protections is a no brainer along with regularly backing up important files and making sure they are stored offline. Add in a tinge of common sense when it comes to clicking on attachments and strange links and you can minimize your exposure to risk.

Which brings me back to paying ransoms.

I still believe that shelling out cash to cybercriminals is always a bad idea that makes things worse. But if your entire business is at stake, maybe you should have a rainy day ransomware fund as part of your security backup plan.

Ryan Naraine is the head of the global research and analysis team Kaspersky Lab USA.

 

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.